What are weak ciphers?
Cryptography relies on ciphers to encrypt our data. For example, RC4 (Rivest Cipher 4 also known as ARC4 or ARCFOUR meaning Alleged RC4) is one. While RC4 is remarkable for its simplicity and speed, multiple vulnerabilities have been discovered since the original release of RC4, rendering it insecure. RC4 is especially vulnerable when the beginning of the output key stream isn’t discarded, or when non-random or related keys are used.
How do I use this security assessment to improve my organizational security posture?
- Review the security assessment for weak cipher usage.
- Research why the identified clients and servers are using weak ciphers.
- Remediate the issues and disable use of RC4 and/or other weak ciphers (such as DES/3DES).
- To learn more about disabling RC4, see the Microsoft Security Advisory.
Note
This assessment is updated in near real time.
Remediation
Note
Make sure to test the following settings in a controlled environment before enabling them in production.
To remediate weak cipher usage, modify the msDS-SupportedEncryptionTypes AD attribute on the applicable devices and accounts, and remove the weak ciphers based on these bit flags.
After ensuring that devices and accounts are no longer using the weak ciphers, then modify the domain controller security policy to drop the weak ciphers from the Network security: Configure encryption types allowed for Kerberos setting.